Nicholas created CXF-7680:
-----------------------------
Summary: Restrict the size of SOAP message OR allow only MTOM
messages
Key: CXF-7680
URL: https://issues.apache.org/jira/browse/CXF-7680
Project: CXF
Issue Type: Wish
Components: JAX-WS Runtime, Soap Binding
Affects Versions: 3.2.2
Reporter: Nicholas
I encountered this problem, but couldn't get any help, although hours of
searching...
I am developing B2B web services.
Service is receiving SOAP request where file attachments are encoded in base64
format, application works well, except if one of the client decides to send
very large XML - possibly 500MB of XML data, at this very point my
application's java heap size grows exponentially and mostly throw
OutOfMemoryException. So I decided to use MTOM mechanism to send and receive
messages with large(or several) attachments, application performs well,
memory-wise, but there is still another problem, server and client, BOTH needs
to enable MTOM messaging, even if it is enabled on server, client can send it
still with base64 format and server receives without any worries until
aformentioned exception is thrown. Anyone can create a HUGE xml message that
can crash my app in seconds. How can I secure my application from these kind of
malicious service calls.
Searched a lot, but couldn't find virtually any reliable solution for this.
So question/problem/wish is:
1) How can I restrict the size of SOAP message (only XML part if MTOM).
OR
2) How can I allow only MTOM messages.
What I found/explored:
[http://cxf.apache.org/docs/security.html] in the "Controlling Large Request
Payloads" section there is written about Woodstox parser which can be used to
restrict XML message by its character sizes, but also written that it's not
recommended and it's insecure. Even if this was the solution, how would it
behave in MTOM message.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
